Many types of online services require a user to perform a log-in procedure to gain access to online information. For example, an online merchant may require a user to first establish an account. That account is commonly associated with a user name and password (and/or other credential information). The online merchant will ask the user to enter valid credential information before gaining access to his or her account.
In such a log-in process, there is a risk that various types of adversaries may gain access to personal information associated with the user. For example, the adversary may learn the secret password or credit card number of the user. The adversary may then exploit the “stolen” information, causing potential harm to the user. Known types of adversarial conduct include phishing attacks, key-logging and spyware attacks, spoofing attacks, cross-site scripting attacks, sniffing attacks, and so on, as well as conventional over-the-shoulder-type eavesdropping attacks. Alternatively, or in addition, a malicious entity may attempt to cause damage to the user's computing resources, e.g., by infecting the user's resources using harmful computer viruses of any type.
To address these challenges, the industry has provided numerous security techniques. These techniques aim, in part, at reducing the risk of unwanted disclosure of personal information in the course of a transaction. The most effective of these techniques satisfy two main objectives. First, an effective technique is successful in thwarting many common modes in which an adversary may exploit a transaction. Second, an effective technique is user-friendly, meaning that the technique does not unduly tax the user by imposing a complicated and burdensome protocol. With respect to these objectives, there remains ample room for improvement in known security techniques.